Ending Soon! Get an iPad Air with Smart Keyboard, or Surface Go, or $300 Off with Online Training through Aug 21!

SEC564: Red Team Exercises and Adversary Emulation

SEC564 gives me the tools and structure to organize, plan, and execute red team engagements.

Josh Hawkins, Anonymous

I loved SEC564. Hands down, the most practical course available.

James Taliento, Cursive Security

Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate real-world adversaries in order to train and measure the effectiveness of the people, processes, and technology used to defend organizations. SEC564 will provide you with the skills to manage and operate a Red Team, conduct Red Team exercises and adversary emulations, and understand the role of the team and its importance in security testing.

Built on the fundamentals of penetration testing, Red Team exercises use a comprehensive approach to gain a holistic view of an organization's security posture in order to improve its ability to detect, respond, and recover from an attack. When properly conducted, Red Team exercises significantly improve an organization's security posture and controls, hone its defensive capabilities, and measure the effectiveness of its security operations.

Red Team exercises require a different approach from a typical security test and rely heavily on well-defined TTPs, which are critical to successfully emulating a realistic adversary. The Red Team exercises and adversary emulation results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against a real adversary, and identify where security strengths and weaknesses exist across people, processes, and technology.

Whether you support a defensive or offensive role in security, understanding how Red Team exercises can be used to improve security is extremely valuable. This intensive two-day course will explore Red Team concepts in-depth, provide the required fundamentals of adversary emulation, and help you improve your organization's security posture.

Course Syllabus


Day 1 begins by introducing you to Red Team exercises and adversary emulations to show how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. You will be introduced to a number of industry frameworks (including the Cyber Kill Chain, Extended Kill Chain, and ATT&CK, among others) for Red Team exercises and adversary emulations. Threat Intelligence is a main factor and trigger to performing Red Team exercises and will be covered early in the class. A successful Red Teamer needs to know how to obtain and consume threat intelligence to successfully plan and execute an adversary emulation. Red Team exercises require substantial planning, and you will learn what triggers an exercise and how to define objectives and scope and set up attack infrastructure. You'll also learn about roles and responsibilities, including those of the trusted agents (White Team or Cell), and about establishing the rules of engagement. With a strong plan, an exercise execution phase can begin. You will learn how to perform the steps to emulate an adversary and provide a high-value Red Team exercise. The day will conclude with a hands-on lab emulating a chosen adversary against the fictional SEC564 target organization.

  • Consuming Threat Intelligence
  • Attack Infrastructure and an Introduction to Class-long Exercise
  • Recon, Weaponization, Delivery, Exploitation (via Social Engineering), and C2

CPE/CMU Credits: 6

  • About the Course
  • Defining Terms
  • Motivation and Introduction
  • Frameworks and Methodologies
  • Threat Intelligence
  • Planning
    • Triggers, Objectives, and Scope
    • Attack Infrastructure
    • Trusted Agents (White Team or White Cell)
    • Roles and Responsibilities
    • Rules of Engagement
  • Red Team Exercise Execution
    • Reconnaissance
    • Weaponization
    • Delivery
    • Social Engineering
    • Exploitation
    • Basic Command and Control (C2)

Day 2 continues with Red Team exercise execution and wraps up with exercise closure activities. The day is filled with exercises that walk students through the class-long adversary emulation Red Team exercise. Multiple Red Team exercise phases are explored that use realistic TTPs to ultimately meet the emulated adversary objective. During the exercises, you perform discovery of the target network from patient zero, attempt privilege escalation, create advanced command and controls channels, and establish persistence. These exercises reinforce the lecture portion of the course. You will learn various methods for defense evasion and execution, credentials access, and lateral movement and pivoting techniques to then perform them in the exercises and obtain the emulated adversary's objective. Finally, you will complete the exercise by performing the various closure activities that are discussed.

  • Discovery, Privilege Escalation, Advanced C2, and Persistence
  • Defense Evasion and Execution, Credential Access, and Lateral Movement and Pivoting
  • Action on Objectives: Collection, Exfiltration, Target Manipulation, and Obtaining Objectives
  • Exercise Closure

CPE/CMU Credits: 6

  • Red Team Exercise Execution
    • Discovery
    • Privilege Escalation
    • Advanced Command and Control (C2)
    • Persistence
    • Defense Evasion and Execution
    • Credential Access
    • Lateral Movement and Pivoting
    • Target Manipulation, Collection, and Exfiltration
  • Exercise Closure
    • Analysis and Response
    • Reporting
    • Remediation and Action Plan

Additional Information

To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the exercise network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to a wired and wireless Ethernet network.


The class does not support Virtual Box, VirtualPC, or other non-VMware virtualization products.

You will use VMware to run a Linux guest operating system to perform exercises in class. You must have a current version of the free VMware Player or current version of the VMware Workstation installed prior to coming to class.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

If you plan to use a Macintosh, please make sure you bring VMware Fusion.

Mandatory Laptop Hardware Requirements

  • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • 8 GB RAM minimum with 16 GB or higher recommended
  • The course is designed to use a wireless connection, but an Ethernet adapter may be used if your wireless connection fails. If your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you.
  • 40 GB available hard-drive space
  • An available USB Port

During the course exercises, you will be connecting to a hostile network. Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks you during course exercises.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security professionals interested in expanding their knowledge of Red Team exercises in order to understand how they are different from other types of security testing
  • Penetration testers and Red Team members looking to better understand their craft
  • Blue Team members, defenders, and forensic specialists looking to better understand how Red Team exercises can improve their ability to defend by better understanding offensive methodologies, tools, tactics, techniques, and procedures
  • Auditors who need to build deeper technical skills and/or meet regulatory requirements
  • Information security managers who need to incorporate or participate in high-value Red Team exercises

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Team concepts.

Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

  • A course USB with Red Team attack infrastructure loaded with numerous tools used for all exercises
  • Details on Red Team use of common tools
  • A variety of sample documents used in threat intelligence, planning, executing, and reporting of Red Team exercises

Leverage Red Team exercises and adversary emulations to obtain a holistic view of an organization's security posture, and to measure, train, and improve people, processes, and technology

  • "I loved SEC564. Hands down, the most practical course available." - James Taliento, Cursive Security
  • "The content from SEC564 is great and I will be able to implement it in my organization right away!" - Kirk Hayes, Rapid 7
  • "SEC564 is perfect for penetration testers looking to move to red teams." - Tim Maletic, D & B
  • "Formalizing the process of red teaming and of automating the testing of defensive security capabilities is an accelerator to any security program." - Michael Machado, Ring Central, Inc.
  • "SEC564 provides a way to 'measure' red team maturity." - Robert Lee Smith , Intel Corporation

Authors' Statement

"Organizations are continually investing more and more in securing their digital assets. Whether investing in talent or technology, most organizations are maturing in their approach to security. While many organizations are performing basic security testing, few are performing end-to-end, threat intelligence-led adversary emulation Red Team exercises. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and ultimately improve the overall security posture of the organization."

- Jorge Orchilles

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

5 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Penetration Testing
Sep 15, 2019 -
Sep 16, 2019

Penetration Testing
Nov 20, 2019 -
Nov 21, 2019

Training Event
Penetration Testing
Dec 10, 2019 -
Dec 11, 2019

Training Event
Penetration Testing
SANS 2020
Orlando, FL
Apr 3, 2020 -
Apr 4, 2020

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.